Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
09-12-2024 21:22
General
-
Target
try again please.exe
-
Size
63KB
-
MD5
11ee3cbc775dd3ffb5ee383aa250e46c
-
SHA1
06969e1b529d4caf9f2efc37c71ce1bd739fbc26
-
SHA256
29c74b4d8f3f1ac56cae20be01b8969ee412427e6c4a2d5e2aab678eb53ed83e
-
SHA512
4bedbda5ce9e6f02eb72a965a56f2cfdba5229361bda7391ac71a2daa6636a48866f98504e5ff61991df6c587af129746b7399bc2d88594569ef38df19a1adfd
-
SSDEEP
768:xtM6NqDuiP/tkiP9JqBIe1wl5SNyNs1+ZSCv7mqb2nrpwH1ol9v68GhZVc6KN:xiDBlnecNsPGbbOwq9fGhZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:7707
127.0.0.1:23198
benefits-required.gl.at.ply.gg:23198:7707
benefits-required.gl.at.ply.gg:23198:23198
roaroaroaraoroaroaraoraoraoarororrohrorororoaroaaoaoaoaroaroar
-
delay
1
-
install
true
-
install_file
windows defender firewall.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\try again please.exe"C:\Users\Admin\AppData\Local\Temp\try again please.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F9B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169B
MD515cb868e60f4a6704462d8b5f2c2206d
SHA1aa87cd298a856ead331b751e4dbe1e6ca9364482
SHA2566cae12813aa0755e1bf33e1308806fc912153acb1df35c95a0bbdd3bc418ad2f
SHA512333ef9d098aeae5521153509bad4f6243ec5b180c67380c23225d5a39fe958c86ee6cee3aa3efbefa161ccba50dac59bb3931529e5030980b294d74d0aeb43b0
-
Filesize
63KB
MD511ee3cbc775dd3ffb5ee383aa250e46c
SHA106969e1b529d4caf9f2efc37c71ce1bd739fbc26
SHA25629c74b4d8f3f1ac56cae20be01b8969ee412427e6c4a2d5e2aab678eb53ed83e
SHA5124bedbda5ce9e6f02eb72a965a56f2cfdba5229361bda7391ac71a2daa6636a48866f98504e5ff61991df6c587af129746b7399bc2d88594569ef38df19a1adfd
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB